Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

It is unclear, though, whether the MBTA can realistically buy the time it needs. Karsten Nohl, a University of Virginia PhD student who was one of the first to publish details of security vulnerabilities in MiFare Classic, the brand of wireless smart card used in Boston’s system, says solving the problems could take a year or two and might even involve replacing all card readers and all cards in circulation.

This is not the first lawsuit to hit researchers who have studied the security of MiFare Classic. Last month, Dutch company NXP Semiconductors, which makes the MiFare cards, sued a Dutch university in an attempt to prevent researchers there from publishing details of similar security flaws. The injunction did not succeed, but as RFID technology continues to proliferate, other security experts are concerned about being able to discuss relevant security research openly.

Bruce Schneier, chief security technology officer at BT Counterpane, says the latest lawsuit only distracts from what’s really at stake. “MiFare sold a lousy product to customers who didn’t know how to ask for a better product,” he says. “That will never get fixed as long as MiFare’s shoddy security is kept secret.” He adds, “The reason we publish vulnerabilities is because there’s no other way for security to improve.”

The same brand of RFID card is used on transport networks in other cities, including London, Los Angeles, Brisbane, and Shanghai, as well as for corporate and government identity passes. The technology has even been incorporated into some credit cards and cell phones.

Nohl says the industry should view the MIT students’ work as a free service that could ultimately lead to better security. Although there has been plenty of academic research on the security of RFID, he says, little has yet made its way into products. “The core of the problem is still industry’s belief that they should build security themselves, and that what they’ve built themselves will be stronger if they keep it secret,” Nohl says.

Meanwhile, independent researchers have come up with a number of ideas for improving the security of RFID cards. Nohl and others are researching better ways of encrypting the information stored on the cards. But part of the problem is that the cards are passive, meaning that they will return a signal to any reader that sends a request. Tadayoshi Kohno and colleagues at the University of Washington are also working on a motion-sensing system that would let users activate their cards with a specific gesture, so that it does not normally respond to requests. Karl Koscher, one of the researchers who worked on the project, says their system is aimed at increasing security without destroying the convenience that has made the cards so popular.

5 comments. Share your thoughts »

Credit: Technology Review

Tagged: Computing, Web, security, MIT, RFID

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me